Implemented package_index.json signature verification (#791)

* Added download of signature files for 'downloads.arduino.cc' domain

* Slightly simplified tmp file creation

* Use patched version of rice-box

This version must be kept until the following pull request is merged
upstream: GeertJohan/go.rice#159

* Added signature verification subroutines

* Implemented package_index.json signature verification

* Added missing license headers

* Added negative test on signature check

* Only copy signature if the file is present

arduino/security/signature_test.go

@@ -0,0 +1,36 @@
+// This file is part of arduino-cli.
+//
+// Copyright 2020 ARDUINO SA (http://www.arduino.cc/)
+//
+// This software is released under the GNU General Public License version 3,
+// which covers the main part of arduino-cli.
+// The terms of this license can be found at:
+// https://www.gnu.org/licenses/gpl-3.0.en.html
+//
+// You can be released from the requirements of the above licenses by purchasing
+// a commercial license. Buying such a license is mandatory if you want to
+// modify or otherwise use the software for commercial activities involving the
+// Arduino software without disclosing the source code of your own applications.
+// To purchase a commercial license, send an email to [email protected].
+
+package security
+
+import (
+	"testing"
+
+	"github.com/arduino/go-paths-helper"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSignatureVerification(t *testing.T) {
+	res, signer, err := VerifyArduinoDetachedSignature(paths.New("testdata/package_index.json"), paths.New("testdata/package_index.json.sig"))
+	require.NoError(t, err)
+	require.NotNil(t, signer)
+	require.True(t, res)
+	require.Equal(t, uint64(0x7baf404c2dfab4ae), signer.PrimaryKey.KeyId)
+
+	res, signer, err = VerifyArduinoDetachedSignature(paths.New("testdata/invalid_file.json"), paths.New("testdata/package_index.json.sig"))
+	require.False(t, res)
+	require.Nil(t, signer)
+	require.Error(t, err)
+}

arduino/security/signatures.go

@@ -0,0 +1,54 @@
+// This file is part of arduino-cli.
+//
+// Copyright 2020 ARDUINO SA (http://www.arduino.cc/)
+//
+// This software is released under the GNU General Public License version 3,
+// which covers the main part of arduino-cli.
+// The terms of this license can be found at:
+// https://www.gnu.org/licenses/gpl-3.0.en.html
+//
+// You can be released from the requirements of the above licenses by purchasing
+// a commercial license. Buying such a license is mandatory if you want to
+// modify or otherwise use the software for commercial activities involving the
+// Arduino software without disclosing the source code of your own applications.
+// To purchase a commercial license, send an email to [email protected].
+
+package security
+
+import (
+	"fmt"
+
+	rice "github.com/GeertJohan/go.rice"
+	"github.com/arduino/go-paths-helper"
+	"golang.org/x/crypto/openpgp"
+)
+
+// VerifyArduinoDetachedSignature that give signaturePath GPG signature match the given targetPath file
+// ant the is an authentic signature from Arduino.
+func VerifyArduinoDetachedSignature(targetPath *paths.Path, signaturePath *paths.Path) (bool, *openpgp.Entity, error) {
+	keysBox, err := rice.FindBox("keys")
+	if err != nil {
+		panic("could not find bundled signature keys")
+	}
+	arduinoKeyringFile, err := keysBox.Open("arduino_public.gpg.key")
+	if err != nil {
+		panic("could not find bundled signature keys")
+	}
+	keyRing, err := openpgp.ReadKeyRing(arduinoKeyringFile)
+	if err != nil {
+		return false, nil, fmt.Errorf("retrieving Arduino public keys: %s", err)
+	}
+
+	target, err := targetPath.Open()
+	if err != nil {
+		return false, nil, fmt.Errorf("opening target file: %s", err)
+	}
+	defer target.Close()
+	signature, err := signaturePath.Open()
+	if err != nil {
+		return false, nil, fmt.Errorf("opening signature file: %s", err)
+	}
+	defer signature.Close()
+	signer, err := openpgp.CheckDetachedSignature(keyRing, target, signature)
+	return (signer != nil && err == nil), signer, err
+}